| title | Create and deploy a Django Python web app to Azure with managed identity |
|---|---|
| description | Use the Azure CLI to create and deploy a Django Python web app to Azure App Service using a user-assigned managed identity. |
| ms.devlang | python |
| ms.topic | tutorial |
| author | bobtabor-msft |
| ms.author | rotabor |
| ms.date | 05/30/2023 |
| ms.custom | devx-track-python |
In this tutorial, you deploy Python Django code to create and deploy a web app running in Azure App Service. The web app uses managed identity (passwordless connections) with Azure role-based access control to access Azure Storage and Azure Database for PostgreSQL - Flexible Server resources. The code uses the DefaultAzureCredential class of the Azure Identity client library for Python. The DefaultAzureCredential class automatically detects that a managed identity exists for the App Service and uses it to access other Azure resources.
In this tutorial, you create a user-assigned managed identity and assign it to the App Service so that it can access the database and storage account resources. For an example of using a system managed identity, see Create and deploy a Flask Python web app to Azure with managed identity. User-assigned identities are recommended because they can be used by multiple resources, and their life cycles are decoupled from the resources’ life cycles with which they’re associated. For more information about best practices of using managed identities, see Managed identity best practice recommendations.
This tutorial shows you how to create and deploy a Python web app using the Azure CLI. You can run the tutorial commands in any environment with the CLI installed, such as your local environment, the Azure Cloud Shell, or GitHub Codespaces. For examples of using the Azure portal or Visual Studio Code to create and deploy, see Deploy a Python web app to Azure with managed identity.
A sample Python application using the Django framework are available to help you follow along with this tutorial. Download or clone one of the sample applications to your local workstation.
-
Clone the sample in an Azure Cloud Shell session.
git clone https://github.com/Azure-Samples/msdocs-django-user-assigned-managed-identity.git -
Navigate to the application folder.
cd msdocs-django-user-assigned-managed-identity
-
Set up the environment variables needed for the tutorial and create a resource group with the az group create command.
LOCATION="eastus" RAND_ID=$RANDOM RESOURCE_GROUP_NAME="msdocs-mi-web-app" APP_SERVICE_NAME="msdocs-mi-web-$RAND_ID" DB_SERVER_NAME="msdocs-mi-postgres-$RAND_ID" ADMIN_USER="demoadmin" ADMIN_PW="ChAnG33#ThsPssWD$RAND_ID" az group create --location $LOCATION --name $RESOURCE_GROUP_NAME[!IMPORTANT] The
ADMIN_PWmust contain 8 to 128 characters from three of the following categories: English uppercase letters, English lowercase letters, numbers, and nonalphanumeric characters. When creating usernames or passwords do not use the$character. Later you create environment variables with these values where the$character has special meaning within the Linux container used to run Python apps. -
Create a PostgreSQL server with the az postgres flexible-server create command. (This and subsequent commands use the line continuation character for Bash Shell ('\'). Change the line continuation character for your shell if needed.)
az postgres flexible-server create \ --resource-group $RESOURCE_GROUP_NAME \ --name $DB_SERVER_NAME \ --location $LOCATION \ --admin-user $ADMIN_USER \ --admin-password $ADMIN_PW \ --sku-name Standard_D2ds_v4The sku-name is the name of the pricing tier and compute configuration. For more information, see Azure Database for PostgreSQL pricing. To list available SKUs, use
az postgres flexible-server list-skus --location $LOCATION. -
Create a database named
restaurantusing the az postgres flexible-server execute command.az postgres flexible-server execute \ --name $DB_SERVER_NAME \ --admin-user $ADMIN_USER \ --admin-password $ADMIN_PW \ --database-name postgres \ --querytext 'create database restaurant;'
Run these commands in the root folder of the sample app.
-
Create an app service using the az webapp up command.
az webapp up \ --resource-group $RESOURCE_GROUP_NAME \ --name $APP_SERVICE_NAME \ --runtime PYTHON:3.9 \ --sku B1The sku defines the size (CPU, memory) and cost of the app service plan. The B1 (Basic) service plan incurs a small cost in your Azure subscription. For a full list of App Service plans, view the App Service pricing page.
-
Configure App Service to use the start.sh in the repo with the az webapp config set command.
az webapp config set \ --resource-group $RESOURCE_GROUP_NAME \ --name $APP_SERVICE_NAME \ --startup-file "start.sh"
The sample app uses a storage account and blob container to store photos. The storage account is configured to allow public access to the container. The app uses the managed identity and the DefaultAzureCredential to access the storage account.
-
Use the az storage create command to create a storage account.
$STORAGE_ACCOUNT_NAME="msdocsstorage$RANDOM" az storage account create \ --name $STORAGE_ACCOUNT_NAME \ --resource-group $RESOURCE_GROUP_NAME \ --location $LOCATION \ --sku Standard_LRSTBD: Verify this command.
-
Create a container called photos in the storage account with the az storage container create command.
az storage container create \ --account-name $STORAGE_ACCOUNT_NAME \ --name photos \ --public-access blob
Create a user-assigned managed identity and assign it to the App Service. The managed identity is used to access the database and storage account.
-
Use the az identity create command to create a user-assigned managed identity and output the client ID to a variable.
UAClientID=$(az identity create --name UAManagedIdentity --resource-group $RESOURCE_GROUP_NAME --query clientId --output tsv) -
Use the az account show command to get your subscription ID and output it to a variable.
SUBSCRIPTION_ID=$(az account show --query id --output tsv) -
Assign the managed identity to the App Service with the az webapp identity assign command.
az webapp identity assign \ --resource-group $RESOURCE_GROUP_NAME \ --name $APP_SERVICE_NAME \ --identities UAManagedIdentityTBD: Does the --identities parameter really take the identity name?
-
Create an App Service app setting that contains the client ID of the managed identity with the az webapp config appsettings set command.
az webapp config appsettings set \ --resource-group $RESOURCE_GROUP_NAME \ --name $APP_SERVICE_NAME \ --settings AZURE_CLIENT_ID=$UAClientID
In this section, you create role assignments for the managed identity to enable access to the storage account and database.
-
Create a role assignment for the managed identity to enable access to the storage account with the az role assignment create command.
export MSYS_NO_PATHCONV=1 az role assignment create \ --assignee $UAClientID \ --resource-group $RESOURCE_GROUP_NAME \ --role "Storage Blob Data Contributor" --scope "/subscriptions/$SUBSCRIPTION_ID/resourcegroups/$RESOURCE_GROUP_NAME"The command specifies the scope of the role assignment to the resource group. For more information, see Understand role assignments.
-
Execute T-SQL commands to create a user for the managed identity and assign roles to that user. Use the az postgres flexible-server execute command.
az postgres flexible-server execute \ --name $DB_SERVER_NAME \ --admin-user $ADMIN_USER \ --admin-password $ADMIN_PW \ --database-name postgres \ --querytext 'CREATE USER "UAManagedIdentity" FROM EXTERNAL PROVIDER;ALTER ROLE db_datareader ADD MEMBER "UAManagedIdentity";ALTER ROLE db_datawriter ADD MEMBER "UAManagedIdentity";ALTER ROLE db_ddladmin ADD MEMBER "UAManagedIdentity";'
The sample Python app uses the azure.identity package and its DefaultAzureCredential class. DefaultAzureCredential automatically detects that a managed identity exists for the App Service and uses it to access other Azure resources (storage and PostgreSQL in this case). There's no need to provide storage keys, certificates, or credentials to the App Service to access these resources.
-
Browse to the deployed application at the URL
http://$APP_SERVICE_NAME.azurewebsites.net.It can take a minute or two for the app to start. If you see a default app page that isn't the default sample app page, wait a minute and refresh the browser.
-
Test the functionality of the sample app by adding a restaurant and some reviews with photos for the restaurant.
The restaurant and review information is stored in Azure Database for PostgreSQL and the photos are stored in Azure Storage. Here's an example screenshot:
:::image type="content" source="./media/python-web-app-managed-identity/example-of-review-sample-app-production-deployed-small.png" lightbox="./media/python-web-app-managed-identity/example-of-review-sample-app-production-deployed.png" alt-text="Screenshot of the sample app showing restaurant review functionality using Azure App Service, Azure PostgreSQL Database, and Azure Storage." :::
In this tutorial, all the Azure resources were created in the same resource group. Removing the resource group removes with the az group delete command removes all resources in the resource group and is the fastest way to remove all Azure resources used for your app.
az group delete --name $RESOURCE_GROUP_NAME
You can optionally add the --no-wait argument to allow the command to return before the operation is complete.